This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Configuring Consent Management Dashboards for AU

Owned by Former user (Deleted)
Last updated: Jul 22, 2020 by Former user (Deleted)
7 min read

After a certain period, some bank customers/consumers may prefer to revoke the consents they gave the Data Recipients to access account data. In WSO2 Open Banking, you can manage and revoke these consents as follows:

The consent management dashboards comply with the Consumer Experience (CX) Standards and CX Guidelines in the Consumer Data Standards.


Revoking consents by consumers

Before you begin:

Configure the Consent Management application to try out the Consent Manager Portal.

 Click here to see how to configure Consent Management application

WSO2 Open Banking solution includes consent revocation apps that support bank customers (PSUs) and banks (ASPSPs) to revoke consents. The consent revocation app provided to PSU is known as Self-care portal and the consent revocation app provided to ASPSP is known as Customer Care portal

In order to manage the consents granted to a Third-Party Provider using the Self-care portal,  do the following configurations. 

  1. Go to the Identity and Access Management Console at https://<WSO2_OB_KM_HOST>:9446/carbon.
  2. On the Main tab, click Home > Identity > Service Providers> Add.
  3. Enter consentmgt as the Service Provider’s name. 
  4. Click Register.
  5. Click Inbound Authentication configuration > OAuth/OpenID Connect configuration > Configure.

  6. Set the values for the following parameters and keep the default value for the other parameters.

    ParameterValue
    OAuth Version2.0
    Allowed Grant Type

    code

    Callback URL

    regexp=(https://<WSO2_OB_KM_HOST>:9446/consentmgt|https://<WSO2_OB_KM_HOST>:9446/consentmgt)

    The first and second URLs are respectively; redirect and logout URLs.

    Regex-based consumer URLs are supported when defining the callback URL. This enables you to configure multiple callback URLs for one application by entering a regex pattern as the value for the callback URL field.

    You must have the prefix regexp= before your regex pattern. To define a normal URL, you can specify the callback URL without this prefix.

  7. Click Add.

    The OAuth client key/client ID and OAuth client secret are generated. Those are used in Configuring consent management jaggery application.

  8. Open the < WSO2_OB_KM_HOME> /repository/deployment/server/jaggeryapps/consentmgt/configs/conf.json file. Modify the apimHostapplicationIdauthCredentialredirectUrl, and logoutUrl parameters as follows. 

    In authCredential, be sure to encode the CLIENT_ID:CLIENT_SECRET with BASE64ENCODE encoding. 

    {
	"app" : "consentmgt",
	"applicationType" : "oauth2",
	"tenantDomain": "carbon.super",
	"apimHost":"http://<WSO2_OB_APIM_HOST>",
	"apimNioPort":"8280",
	"apimHttpPort":"9763",
	"kmHost" : "https://<WSO2_OB_KM_HOST>",
	"kmPort" : "9446",
	"kmTokenAPI" : "oauth2/token",
	"kmAuthorizeAPI" : "oauth2/authorize",
	"applicationId":"<CLIENT_ID>",
	"authCredential":"<BASE64ENCODED CLIENT CREDENTIALS>",
	"redirectUrl":"https://<WSO2_OB_KM_HOST>:9446/consentmgt",
	"logoutUrl": "https://<WSO2_OB_KM_HOST>:9446/consentmgt",
	"tokenApiName" : "token",
	"tokenApiVersion" : "",
	"authorizeApiName" : "authorize",
	"authorizeApiVersion" : "",
	"pagination" : {
		"limit" : 11,
		"actualLimit" : 10,
		"offset": 0
	},
	"DeployedSpecification" : "AU"
}

    Important

    Update the specification under the DeployedSpecification parameter. Possible values are UK, BERLINAU, and STET. By default, the value is set to UK.



The WSO2 Open Banking Consent Manager portal also known as the Self-care portal, enables consumers to review and revoke the consents they provided to access account details. 

Let's take a look at how a consumer can revoke consent.

  1. Go to the Consent Manager portal at https://<WSO2_OB_KM_HOST>:9446/consentmgt.

  2. Enter the username and password provided by the bank. Click SIGN IN.

  3. In the Consent Manager portal's home page, you can view a list of consents you have granted to access account information.
    Consent status is displayed to the right of the selected consent. Available consent statuses are Rejected, Awaiting authorisation, Authorised, and Revoked.

  4. Click on a consent to see its details.

    A consumer can grant permissions to consents. The table below defines the available permissions with the corresponding authorisation scope and the actual data the consent has access to.

    Permission nameAuthorisation scopeData
    Organisation profilecommon:customer.basic:read
    • Agent name and role
    • Organisation name
    • Organisation numbers (ABN or ACN)
    • Charity status
    • Establishment date
    • Industry
    • Organisation type
    • Country of registration
    Organisation contact detailscommon:customer.detail:read
    • Organisation address
    • Mail address
    • Phone number
    Organisation profile and contact detailscommon:customer.detail:read
    • Agent name and role
    • Organisation name
    • Organisation numbers (ABN or ACN)
    • Charity status
    • Establishment date
    • Industry
    • Organisation type
    • Country of registration
    • Organisation address
    • Mail address
    • Phone number
    Account name, type and balancebank:accounts.basic:read
    • Name of account
    • Type of account
    • Account balance
    Account numbers and featuresbank:accounts.detail:read
    • Account number
    • Interest rates
    • Fees
    • Discounts
    • Account terms
    • Account mail address
    Account balance and detailsbank:accounts.detail:read
    • Name of account
    • Type of account
    • Account balance
    • Account number
    • Interest rates
    • Fees
    • Discounts
    • Account terms
    • Account mail address
    Transaction detailsbank:transactions:read
    • Incoming and outgoing transactions
    • Amounts
    • Dates
    • Descriptions of transactions
    • Who you have sent money to and received money from; (For example, their name, BSB, account number)
    Direct debits and scheduled paymentsbank:regular_payments:read
    • Direct debits
    • Scheduled payments
    Saved payeesbank:payees:readNames and details of accounts you have saved (For example, their BSB and Account Number, BPay CRN and Biller code, or NPP PayID)

  5. If the consumer wants to stop sharing the consent with the Data Recipient, click Stop sharing

    Optionally, you can enter a reason for the revocation.

    Revocation reasons help you to find more information later. It is not mandatory to provide a reason for revocation.

  6. Click Revoke to confirm the revocation. 

  7. The status of the consent is now changed to Revoked. You can still find the history of consents remaining in the list.

Revoking consents by Customer Care Representatives

The WSO2 Open Banking Customer Care portal enables the Customer Care Representatives to revoke the consents on behalf of the consumers.

Before you begin:

Create a user whose role is defined as a customer care officer. 


 Click here to see how it is done...

  1. Sign in to the Identity and Access Management console (https://<WSO2_OB_KM_HOST>:9446/carbon). Use the default super admin credentials:

    Username: admin@wso2.com

    Password: wso2123

    The above credentials are used for demo purposes only. It is recommended to change them in a production environment.

  2. On the Main  tab, click  Identity > Users and Roles > Add > Add New Role and create the following user:

    DomainRolePermissions

    Internal

    CustomerCareOfficer

    		No permissions required.

  3. On the  Main  tab, click  Identity > Users and Roles > Add > Add New User and create the following user:

    UserRoles
    ann@gold.comInternal/CustomerCareOfficer

  4. Click Finish.

Configuring SSO:

You can configure SSO for the Customer Care Portal.

 Click here to see how it is done
  1. Create a Service provider with the following parameters.

    1. Sign in to the Identity and Access Management console at https://<WSO2_OB_KM_HOST>:9446/carbon.

    2. Go to Home > Identity > Service Providers > Add.

    3. Use the Manual Configuration option and fill in the Basic Information.

    4. Click Register.

    5. Go to Inbound Authentication Configuration > SAML2 Web SSO Configuration > Configure.

    6. Configure the following:

      Manual ConfigurationValue
      Issuerccportal
      Assertion Consumer URLshttps://<OB_KM_HOST>:9446/ccportal/jagg/jaggery_acs.jag

    7. Click Add to add Assertion Consumer URL.

    8. Click Register.

    9. Expand the Local and Outbound Authentication Configuration section and select the authenticators that are used to authenticate users in this service provider (sample value: Default).

    10. Check the Enable Authorization checkbox and click Update.

  2. Setting up the policy.
    1. Follow the instructions in Configuring Access Control Policy for a Service Provider - Setting up the policy and publish a policy using the authn_role_based_policy_template for the Internal/CustomerCareOfficer role.

    2. Given below is a sample policy file:

      <Policy
	xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="authn_ccportal_role_based_policy"        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
	<Description>This policy authorizes Internal/CustomerCareOfficer users to the ccportal service provider in the authentication flow based on the roles of the user. Other users will be denied.</Description>
	<Target>
		<AnyOf>
			<AllOf>
				<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ccportal</AttributeValue>
					<AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
				</Match>
				<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticate</AttributeValue>
					<AttributeDesignator AttributeId="http://wso2.org/identity/identity-action/action-name" Category="http://wso2.org/identity/identity-action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
				</Match>
			</AllOf>
		</AnyOf>
	</Target>
	<Rule Effect="Permit" RuleId="permit_by_roles">
		<Condition>
			<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
				<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Internal/CustomerCareOfficer</AttributeValue>
					<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
				</Apply>
			</Apply>
		</Condition>
	</Rule>
	<Rule Effect="Deny" RuleId="deny_others"/>
</Policy>
  3. Update SSO configurations.
    1. Open the <WSO2_OB_KM_HOME>/repository/deployment/server/jaggeryapps/ccportal/configs/conf.json file.

    2. Update the ssoConfiguration section. Given below is a sample configuration:

         "ssoConfiguration":{
      "enabled":"true",
      "issuer":"ccportal",
      "identityProviderURL":"https://localhost:9446/samlsso",
      "keyStorePassword":"wso2carbon",
      "identityAlias":"wso2carbon",
      "verifyAssertionValidityPeriod":"true",
      "timestampSkewInSeconds":"300",
      "audienceRestrictionsEnabled":"true",
      "responseSigningEnabled":"true",
      "assertionSigningEnabled":"true",
      "keyStoreName":"<WSO2_OB_KM_HOME>/repository/resources/security/wso2carbon.jks",
      "signRequests":"true",
      "assertionEncryptionEnabled":"false",
      "idpInit":"false",
      "idpInitSSOURL":"https://localhost:9446/samlsso?spEntityID=ccportal",
      "loginUserNameAttribute":""
   }

  4. Make sure the <WSO2_OB_KM_HOME>/modules/sso/module.xml file contains the following:

    <hostObject>
	<className>org.wso2.carbon.hostobjects.sso.SAMLSSORelyingPartyObject</className>
	<name>SSORelyingParty</name>
</hostObject>
Let's take a look at how a Customer Care Representative can revoke a consent.

  1. Sign in to the Customer Care Portal (https://<WSO2_OB_KM_HOST>:9446/ccportal) using the username and password of the Customer Care user.

    Troubleshooting

    If you get hostname verification errors when accessing the Customer Care portal, add the following to the <WSO2_OB_KM_HOME>/bin/wso2server.sh file and restart.

    • Dhttpclient.hostnameVerifier="DefaultAndLocalhost" \
    • Dorg.wso2.ignoreHostnameVerification=true \

  2. You can filter and search for consents.
     
    Filter based on the following parameters:

    • User ID: The user ID created for the consumer in the online banking application. 

    • The consent type is selected as Accounts by default. 

    • Application: The Data Recipient applications authorised for the Data Holder are listed here. You can select the application the consumer has given consent to.

    • Status: Select the status of the consent. Possible values are: RejectedAwaiting AuthorisationAuthorised, and Revoked

    • Set Date Range: The date range in which the consent is valid.

      You can use one or more filter options and proceed to search.

  3. Click Search.

  4. A list of search results is displayed, as shown below. You can view the consent information by clicking the consent.

  5. Click the consent you want to revoke and view the consent details. 

  6. Click Revoke.

  7. Optionally, you are asked to enter a reason for the revocation.

    Revocation reasons will help you to find more information later. It is not mandatory to provide a reason for revocation.


  8. Click Revoke to confirm the revocation.